İCO. OSCR 


Information Commissioner’s Office Scottish Charity Regulator 


Memorandum of Understanding between the Information 
Commissioner and the Scottish Charity Regulator 


Introduction 


1. 


This Memorandum of Understanding (MoU) establishes a framework 
for cooperation and information sharing between the Information 
Commissioner (“the Commissioner”) and the Scottish Charity 
Regulator (“OSCR”), collectively referred to as "the parties" 
throughout this document. In particular, it sets out the broad 
principles of collaboration and the legal framework governing the 
sharing of relevant information and intelligence between the parties. 
The shared aims of this MoU are to enable closer working between 
the parties, including the exchange of appropriate information, so 
as to assist them in discharging their regulatory functions. 


This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or OSCR. 
The parties have determined that they do not exchange sufficient 
quantities of personal data to warrant entering into a separate data 
sharing agreement, but this will be kept under review. 


The role and function of the Information Commissioner 


3. 


The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the Data Protection Act 2018 to act as the UK’s 
independent regulator to uphold information rights in the public 
interest, promote openness by public bodies and data privacy for 
individuals. 


The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA); 


e General Data Protection Regulation (GDPR); 
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Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 


Freedom of Information Act 2000 (FOIA); 
Environmental Information Regulations 2004 (EIR); 


Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


Investigatory Powers Act 2016; 
Re-use of Public Sector Information Regulations 2015; 
Enterprise Act 2002; 


Security of Network and Information Systems Directive (NIS 
Directive); and 


Electronic Identification, Authentication and Trust Services 
Regulation (eIDAS). 


5. Article 57 of the GDPR and Section 115(2)(a) of the DPA 2018 place 
a broad range of statutory duties on the Commissioner, including 
monitoring and enforcement of the GDPR, promotion of good 
practice and adherence to the data protection obligations by those 
who process personal data. These duties sit alongside those relating 
to the other enforcement regimes outlined in paragraph 4 above. 


6. The Commissioner’s regulatory and enforcement powers include: 


conducting assessments of compliance with the DPA, GDPR, 
PECR, eIDAS, the NIS Directive, FOIA and EIR; 


issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 
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e administering fines by way of penalty notices in the 
circumstances set out in section 155 of the DPA; 


e administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


e issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


e certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


e an ability to investigate criminal offences within our remit and 
either prosecute cases before the courts in England, Wales 
and Northern Ireland, or make a report to the procurator 
fiscal in Scotland. 


Regulation 31 of PECR, as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011, 
also provides the Commissioner with the power to serve 
enforcement notices and issue monetary penalty notices as above 
to organisations who breach PECR. This includes, but is not limited 
to, breaches in the form of unsolicited marketing which falls within 
the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 


Functions and powers of OSCR 


8. 


OSCR is a Non-Ministerial Department, directly accountable to the 
Scottish Parliament. OSCR Board of non-executive members is 
responsible for strategy and future direction, oversight and 
governance. 


Under section 1 of the Charites and Trustee Investment (Scotland) 
Act 2005 (“the 2005 Act”) OSCR is responsible for an effective 
regulatory framework for Scottish charities including the granting of 
charitable status, maintenance of a public register of charities, the 
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10. 


11. 
12. 


13. 


investigation of apparent misconduct and facilitation and monitoring 
of compliance with the Act. 


OSCR's general functions are to: 


e Determine whether bodies are charities; 
e Keep a public register of charities; 


e Encourage, facilitate and monitor compliance by charities with 
the provisions of the 2005 Act; 


e Identify and investigate apparent misconduct in the 
administration of charities and to take remedial or protective 
action in relation to such misconduct; and, 


e Give information or advice, or make proposals, to the Scottish 
Ministers on matters relating to OSCR's functions. 


Purpose of information sharing 


The purpose of the MoU is to enable the parties to share relevant 
information which enhances their ability to exercise their respective 
functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of personal data pursuant to 
these arrangements fully complies with both the GDPR and the DPA 
2018. The MoU sets out the potential legal framework for 
information sharing, but it is for each party to determine for 
themselves that any proposed disclosure is compliant with the law. 


Principles of cooperation and sharing 


14. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at its discretion, 
OSCR will alert the Commissioner to any potential breaches of the 
legislation regulated by the Commissioner discovered whilst 
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15. 


16. 


17. 


undertaking regulatory duties, and provide relevant and necessary 
supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at her discretion, 
the Commissioner will alert OSCR to any potential breaches of the 
legislation regulated by OSCR discovered whilst undertaking 
regulatory duties, and provide relevant and necessary supporting 
information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
the parties will: 


e Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats); and 


e Consult one another on any issues which might have 
significant implications for the other organisation. 


The parties will comply with the general laws they are subject to, 
including, but not limited to, local data protection laws; the 
maintenance of any prescribed documentation and policies; and 
comply with any governance requirements in particular relating to 
security and retention, and process personal data in accordance 
with the statutory rights of individuals. 


Lawful basis for sharing information 


Information shared by OSCR with the Commissioner 


18. 


Section 24 of the 2005 Act permits OSCR to disclose information 
with any person, government department, local authority, police 
officer or body discharging functions of a public nature if this 
disclosure is made for any purpose connected with either OSCR’s 
functions or to enable or assist the exercise of the relevant person’s 
or body’s statutory functions. 
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19. 


20. 


2i. 


OSCR will not disclose information received under the terms of this 
MOU to any other person or body without the consent of the 
disclosing party. 


The Commissioner's statutory function relates to the legislation set 
out at paragraph 4, and this MoU governs information shared by 
OSCR to assist the Commissioner to meet those responsibilities. To 
the extent that any such shared information comprises personal 
data, as defined under the GDPR and DPA 2018, OSCR is a 
Controller so must ensure that it has a lawful basis to share it and 
that doing so would otherwise be compliant with the data protection 
principles. It must also ensure that sharing the information in 
question is consistent with its legal powers. 


Section 131 of the Data Protection Act 2018 may provide both the 
lawful basis, from a data protection perspective, and the legal 
power for OSCR to share information with the Commissioner. Under 
this particular provision, OSCR is not prohibited or restricted from 
disclosing information to the Commissioner by any other enactment 
or rule of law provided it is "information necessary for the discharge 
of the Commissioner's functions". 


Information shared by the Commissioner with OSCR 


22. 


23. 


The Commissioner, during the course of her activities, will receive 
information from a range of sources, including personal data. She 
will process all personal data in accordance with the principles of 
the GDPR, the DPA 2018 and all other applicable legislation. The 
Commissioner may identify that information she holds, which may 
include personal data, ought to be shared with OSCR as it would 
assist them in performing their functions and responsibilities. 


Section 132(1) of the DPA 2018 states that the Commissioner can 
only share confidential information with others if there is lawful 
authority to do so. In this context, the information will be 
considered confidential if has been obtained, or provided to, the 
Commissioner in the course of, or the purposes of, discharging her 
functions, relates to an identifiable individual or business, and is not 
otherwise available to the public from other sources. This therefore 


includes, but is not limited to, personal data. Section 132(2) of the 
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24. 


25. 


26. 


DPA 2018 sets out the circumstances in which the Commissioner 
will have the lawful authority to share that information with OSCR. 
In particular, it will be lawful in circumstances where: 


e The sharing was necessary for the purpose of the 
Commissioner discharging her functions (section 132(2)(c)); 


e The sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); or 


e The sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


The Commissioner will therefore be permitted to share information 
with OSCR in circumstances where it has determined that it is 
reasonably necessary to do so in furtherance of one of those 
grounds outlined at paragraph 23. In doing so, the Commissioner 
will identify the function of OSCR with which that information may 
assist, and assess whether that function could reasonably be 
achieved without access to the particular information in question. In 
particular, where the information proposed for sharing with OSCR 
amounts to personal data the Commissioner will consider whether it 
is necessary to provide it in an identifiable form in order for OSCR 
to perform its functions, or whether disclosing it in an anonymised 
form would suffice. 


If information to be disclosed by the Commissioner was received by 
her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


Where information is to be disclosed by either party for law 
enforcement purposes under section 35 (4) or (5) of the DPA 2018 
then they will only do so in accordance with an appropriate policy 
document as outlined by section 42 of the DPA. 
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27. 


28. 


Where a request for information is received by either party under 
data protection laws, FOIA or EIR, the Freedom of Information 
(Scotland) Act 2002 (FOISA) or the Environmental Information 
(Scotland) Regulations 2004 (EIR(S)) and where the information 
being sought under that request includes information obtained 
from, or shared by, the other party, the recipient of the request will 
seek the views of the other party. In particular, the receiving party 
will have regard to appropriate and relevant code of practice under 
section 45 of FOIA, section 60 of FOISA and/or Regulation 16 of the 
EIR. However, the decision to disclose or withhold the information 
(and therefore any liability arising out of that decision) remains with 
the party in receipt of the request, either as Controller in respect of 
that data or the public authority that holds the information under 
FOIA, FOISA, EIR or EIR(S) (depending on the nature of the 
information being sought). 


While it is intended that the arrangements in this MOU should apply 
generally, it is recognised that some circumstances will require 
special handling. Nothing in this MOU prevents the making of 
arrangements to meet specific exceptional needs. 


Method of exchange 


29, 


Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Confidentiality and data breach reporting 


30. 


31. 


32. 


Where confidential material is shared between the parties it will be 
marked with the appropriate security classification. 


Where one party has received information from the other, it will 
consult with the other party before passing the information to a 
third party or using the information in an enforcement proceeding 
or court case. 


Where confidential material obtained from, or shared by, the 
originating party is wrongfully disclosed by the party holding the 
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information, this party will bring this to the attention of the 
originating party without delay. This is in addition to obligations to 
report a personal data breach under the GDPR and/or DPA where 
personal data is contained in the information disclosed. 


Duration and review of the MoU 


33. 


34. 


35. 


The parties will monitor the operation of this MoU and will review it 
biennially. 


Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation. 


Key contacts 


36. 


37. 


38. 


The parties have both identified a key person who is responsible for 
managing this MoU: 


Information The Scottish Charity 
| Commissioner's Office | Regulator 


Email: Email: 


Address: Wycliffe House, 
Water Lane, Wilmslow, SK9 Address: Quadrant House, 9 
5AF Riverside Drive, Dundee, DD1 
4NY 


Those individuals will maintain an open dialogue between each 
other in order to ensure that the MoU remains effective and fit for 
purpose. They will also seek to identify any difficulties in the 
working relationship, and proactively seek to minimise the same. 
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Signatories 


Amanda Williams, Director | Maureen Mallon, Interim Chief 
Information Executive, Scottish 
Commissioner's Office Charity Regulator 


Date: es Date: 27 Sone A019 
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